Making sense of Java security realities

Millions of people use Java everyday, but unfortunately, the number who are operating properly secured applications is much smaller. Matthew Schwartz wrote on InformationWeek that half of users are still on Java 6, which Oracle retired last month, shows that most don't know how important making sure this program is secure is in its current state. Without having it as up to date as possible, companies may fall victim to data security breaches or make themselves easy targets for attacks.

"In the wake of active attacks against zero-day vulnerabilities in Java that were being exploited to install McRAT malware, Oracle this week released Java 7 update 17 (it skipped issuing an update 16) and Java 6 update 43 (skipping update 42)," he wrote on the website. "Both updates patch two critical bugs, one of which attackers were exploiting to fully compromise vulnerable PCs. Needless to say, Oracle and security experts at large have recommended that Java users upgrade as soon as possible."

Security experts now count the time in between new attacks on Java in days rather than weeks and months, as it has become far more common of an exploit for hackers to go after this program.

Other facts about Java that Schwartz believes are important to keep in mind include:
– Oracle has improved the speed of patching security holes in Java, so companies that regularly update can keep updating the program and experience less problems than they would
– Businesses may want to disable their Java plug-ins, as security experts say the program on browsers cause some problems for organizations who use it too much, especially on websites they do not trust

To illustrate how dangerous Java can be if left to its current state, Jon Brodkin wrote on Ars Technica that a flaw identified in February allowed for a complete bypass of the Java security sandbox. Security Explorations, an online security firm, said the company looked to investigate the flaw and get back to them soon, but as it stood, the flaw could have been leverage to completely bypass security in the program.

"We've advised before that users who don't need Java should consider uninstalling it, or at least the Java plug-ins used to run Java content in web browsers," the website said. "Even savvy computer users aren't necessarily safe."

Ripple effects reach big names
To show how bad the problem of data security has gotten with regard to Java, Krebs On Security said attackers have once again leveraged a hole that mirrors a recent attack on security company Bit9. A new zero-day attack was found by FireEye and CyberESI which suggested that Java 6 Update 41 and Java 7 Update 15 may not have resolved their intended issues. Alex Lanstein, a senior security researcher at FireEye, said it's fairly clear that this malware is similar to what came from the Bit9 attack.

"Most consumers can get by without Java installed, or least not plugged into the browser," Krebs wrote on his blog. "Because of the prevalence of threats targeting Java installations, I'd urge these users to remove Java or unplug it from the browser. If this is too much trouble, consider adopting a dual-browser approach, keeping Java unplugged from your main browser, and plugged in to a secondary browser that you only use to visit sites that require the plugin."

He wrote that the there were fixes pushed out at the beginning of February in which Oracle pushed 50 patches for problems. There were, however, still other problems found with Java by a Polish security research company, showing how deep these problems run. With big names such as The New York Times, Apple, Microsoft and others seeing problems from working with Java as well, companies of every size must be looking at ways to secure Java or stop using it altogether.